HipChat hack leads to precautionary password reset

Australian enterprise software firm Atlassian has told customers that it recently suffered a security breach that saw hackers access names, usernames, email addresses and encrypted passwords for users of its HipChat group messaging application.

According to Craig Davies, who heads up Atlassian’s security team, “a very small percentage” (less than 2%) of the firm’s customers are affected.

No evidence has been found that the hackers managed to access payment information – which is obviously a relief.

In further good news, if you chose a strong, hard-to-guess password hackers are going to find it difficult to crack.

While HipChat passwords are one-way encrypted (hashed and salted), as an added precaution we have triggered a password reset for all affected HipChat user accounts and all Atlassian services that share the same email address.

When a password is properly salted and hashed, it goes through a one-way process which can not be easily reversed. Indeed, it can take considerable computer power and time to have a chance of determining a single, simple password let alone drill through a database of many millions.

Of course, even if HipChat users’ passwords don’t get cracked, that doesn’t mean they are out of the woods. With the other information that the hackers stole, it would be trivial to launch – for instance – an email phishing campaign against HipChat users, in a second attempt to grab their login credentials.

So it makes sense for HipChat users to not only change their passwords as a precaution, but also to be on their guard against other potential attacks.